Privacy Lessons from Snapchat and the FTC

The 2014 spat between Snapchat and the FTC provides an excellent example of what NOT to do when designing and marketing a new application. In recent years, user privacy and responsible consumer data management issues have surged to the forefront of public consciousness. The modern world gives every company that does business online access to an unprecedented amount of data about its customers, as well as the ability to effectively monetize that information—but creates substantial new risks. For many companies, a catastrophic data breach is the most obvious danger. However, any company dealing with large amounts of user-generated data must also keep an eye on what it is telling its customers. Misrepresenting privacy and data practices can have dire public-relations consequences, and potentially expose a company to both private lawsuits and enforcement action by the Federal Trade Commission for deceptive business practices.

The FTC suggests that new product developers build in privacy from the ground up. The FTC strongly recommends that companies limit the information they collect—and ensure the secure storage and safe disposal of what they decide to keep. Good data practices are a start, but insufficient alone. For more specific advice, the FTC has a page dedicated to new app developers here.

Privacy Missteps: Snapchat As a Cautionary Tale

Every technology company that offers a public-facing product deals with user privacy in one way or another. Whether it’s an app, a data aggregation tool, or a new people-search engine, concerns about user privacy are an increasingly critical part of the market landscape. For tech startups looking to quickly grow a consumer base or break into a new market, there is a strong temptation to “tell them what they want to hear” to get customers on board as expeditiously as possible. After all, nobody actually reads privacy policies, right? Recent history teaches us that this is exactly the wrong attitude to cultivate.

What They Said

Snapchat marketed itself as an “ephemeral” messaging application, and represented to its users that photos and videos sent via its app would “disappear forever” when a timer set by the sender expired. Snapchat represented its product in these terms through the “description” pages in both the iTunes App Store and Google Play smartphone application marketplaces, as well as in its own website’s Frequently Asked Questions section. Its language seemed unequivocal—and was completely wrong. As it turned out, a variety of third-tools made it very easy to retain videos and pictures distributed via the app.

As a result of the discrepancy between Snapchat’s representation of its product and the reality of its use, Snapchat was the subject of an FTC complaint in 2014. The FTC alleged that several of Snapchat’s practices were unfair to and misleading Snapchat consumers.

What They Did

The contrast between Snapchat’s behavior and the representations it made to consumers was stark. The storage of video files outside of the application’s own ‘sandbox’ storage area and ubiquitous existence of third-party products easily capable of circumventing the app’s “timer” and “deletion” features were both major flaws in Snapchat’s portrayal of itself as the ‘snap-and-delete’ app, and the company was informed of these vulnerabilities as early as 2012. Additionally, users could easily take screenshots of the supposedly “ephemeral” snaps without the use of any third-party software at all, and Snapchat’s claim that senders would be automatically notified if a screenshot was taken of one of their images was highly misleading due to the app’s inability to provide such notice on all mobile platforms (and the ease with which the feature could be circumvented).

On Android mobile platforms, Snapchat integrated an analytics feature that collected users’ location information—without disclosing to consumers that it was accessing location information, and while continuing to represent in its privacy policy that it did not do so. Finally, prior to 2012, the company mislead consumers by accessing their phone “contacts” without disclosing their app was doing so via the app’s “find friends” feature, while also representing in its privacy policy that the only information collected was an “email, phone number, and Facebook id.”

The Consequences

As a result of the FTC complaint, in 2014 Snapchat entered into a consent decree required several changes to its behavior. The decree obligated the company to stop misleading consumers, put in place a comprehensive privacy program, designate employees responsible for that program, and obtain biennial assessments of that program’s effectiveness to be provided to the FTC for through the year 2034. The FTC also obligated Snapchat, on an ongoing basis, provide the regulator with any “statements disseminated to consumers” that describe its privacy or security practices, as well as any consumer complaints it received, and additionally send copies of the consent decree to any future subsidiaries.

Takeaways from Snapchat

Particularly for companies whose primary revenue source is their consumers’ data, transparent data practices are critical. For a new tech company, up front disclosure of the kinds of data you are collecting and who are you are sharing it with can go a long way to avoiding both the FTC and public’s ire. Ensuring open communication between the marketing and development teams, as well as legal counsel and business decision-makers is also key—if a company’s developers are building features into its product that do something expressly contrary to the company’s privacy policy, the company becomes a prime target for an expensive and embarrassing enforcement action.